From 1568aaeade137f00e1e58ee95c03bf91c8892334 Mon Sep 17 00:00:00 2001 From: Jonathan Esterhazy Date: Tue, 5 Jul 2022 02:40:14 -0500 Subject: [PATCH] fix(stepfunctions-tasks): SqsSendMessage is missing KMS permissions (#20990) The SqsSendMessage task does not add the required KMS permissions when the destination queue uses a custom encryption key. This changes adds the `kms:Decrypt` and `kms:GenerateDataKey*` actions. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/sqs/send-message.ts | 10 + .../test/sqs/integ.send-message-encrypted.ts | 50 +++ ...s-tasks-sqs-send-message-integ.assets.json | 19 ++ ...tasks-sqs-send-message-integ.template.json | 254 +++++++++++++++ .../cdk.out | 1 + .../manifest.json | 106 +++++++ .../tree.json | 297 ++++++++++++++++++ 7 files changed, 737 insertions(+) create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/integ.send-message-encrypted.ts create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.assets.json create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.template.json create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/cdk.out create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/manifest.json create mode 100644 packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/tree.json diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/sqs/send-message.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/sqs/send-message.ts index 3a2db5d9e7134..16a01bba5d05f 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/sqs/send-message.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/sqs/send-message.ts @@ -84,6 +84,16 @@ export class SqsSendMessage extends sfn.TaskStateBase { resources: [this.props.queue.queueArn], }), ]; + + // sending to an encrypted queue requires + // permissions on the associated kms key + if (this.props.queue.encryptionMasterKey) { + this.taskPolicies.push( + new iam.PolicyStatement({ + actions: ['kms:Decrypt', 'kms:GenerateDataKey*'], + resources: [this.props.queue.encryptionMasterKey.keyArn], + })); + } } /** diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/integ.send-message-encrypted.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/integ.send-message-encrypted.ts new file mode 100644 index 0000000000000..d461bb1f1fd98 --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/integ.send-message-encrypted.ts @@ -0,0 +1,50 @@ +import * as sqs from '@aws-cdk/aws-sqs'; +import * as sfn from '@aws-cdk/aws-stepfunctions'; +import * as cdk from '@aws-cdk/core'; +import { SqsSendMessage } from '../../lib/sqs/send-message'; + +/* + * Creates a state machine with a task state to send a message to an SQS + * queue. + * + * When the state machine is executed, it will send a message to our + * queue, which can subsequently be consumed. + * + * Stack verification steps: + * The generated State Machine can be executed from the CLI (or Step Functions console) + * and runs with an execution status of `Succeeded`. + * + * -- aws stepfunctions start-execution --state-machine-arn provides execution arn + * -- aws stepfunctions describe-execution --execution-arn returns a status of `Succeeded` + * -- aws sqs receive-message --queue-url has a message of 'sending message over' + */ +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-stepfunctions-tasks-sqs-send-message-integ'); +const queue = new sqs.Queue(stack, 'show-me-the-messages', { + encryption: sqs.QueueEncryption.KMS, +}); + +const sendMessageTask = new SqsSendMessage(stack, 'send message to sqs', { + queue, + messageBody: sfn.TaskInput.fromText('sending message over'), +}); + +const finalStatus = new sfn.Pass(stack, 'Final step'); + +const chain = sfn.Chain.start(sendMessageTask) + .next(finalStatus); + +const sm = new sfn.StateMachine(stack, 'StateMachine', { + definition: chain, + timeout: cdk.Duration.seconds(30), +}); + +new cdk.CfnOutput(stack, 'stateMachineArn', { + value: sm.stateMachineArn, +}); + +new cdk.CfnOutput(stack, 'queueUrl', { + value: queue.queueUrl, +}); + +app.synth(); diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.assets.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.assets.json new file mode 100644 index 0000000000000..c94092bccd6f6 --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.assets.json @@ -0,0 +1,19 @@ +{ + "version": "20.0.0", + "files": { + "a598966383649ea6d920222923e22b0f5e7568d4eb610c8c0a5167f4ccc2a2b5": { + "source": { + "path": "aws-stepfunctions-tasks-sqs-send-message-integ.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "a598966383649ea6d920222923e22b0f5e7568d4eb610c8c0a5167f4ccc2a2b5.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.template.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.template.json new file mode 100644 index 0000000000000..569e5fe7bc13d --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/aws-stepfunctions-tasks-sqs-send-message-integ.template.json @@ -0,0 +1,254 @@ +{ + "Resources": { + "showmethemessagesKeyC4D56D85": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "Description": "Created by aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages" + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "showmethemessages8D16BBDB": { + "Type": "AWS::SQS::Queue", + "Properties": { + "KmsMasterKeyId": { + "Fn::GetAtt": [ + "showmethemessagesKeyC4D56D85", + "Arn" + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "StateMachineRoleB840431D": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::FindInMap": [ + "ServiceprincipalMap", + { + "Ref": "AWS::Region" + }, + "states" + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "StateMachineRoleDefaultPolicyDF1E6607": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "showmethemessages8D16BBDB", + "Arn" + ] + } + }, + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "showmethemessagesKeyC4D56D85", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "StateMachineRoleDefaultPolicyDF1E6607", + "Roles": [ + { + "Ref": "StateMachineRoleB840431D" + } + ] + } + }, + "StateMachine2E01A3A5": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRoleB840431D", + "Arn" + ] + }, + "DefinitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"send message to sqs\",\"States\":{\"send message to sqs\":{\"Next\":\"Final step\",\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::sqs:sendMessage\",\"Parameters\":{\"QueueUrl\":\"", + { + "Ref": "showmethemessages8D16BBDB" + }, + "\",\"MessageBody\":\"sending message over\"}},\"Final step\":{\"Type\":\"Pass\",\"End\":true}},\"TimeoutSeconds\":30}" + ] + ] + } + }, + "DependsOn": [ + "StateMachineRoleDefaultPolicyDF1E6607", + "StateMachineRoleB840431D" + ] + } + }, + "Outputs": { + "stateMachineArn": { + "Value": { + "Ref": "StateMachine2E01A3A5" + } + }, + "queueUrl": { + "Value": { + "Ref": "showmethemessages8D16BBDB" + } + } + }, + "Mappings": { + "ServiceprincipalMap": { + "af-south-1": { + "states": "states.af-south-1.amazonaws.com" + }, + "ap-east-1": { + "states": "states.ap-east-1.amazonaws.com" + }, + "ap-northeast-1": { + "states": "states.ap-northeast-1.amazonaws.com" + }, + "ap-northeast-2": { + "states": "states.ap-northeast-2.amazonaws.com" + }, + "ap-northeast-3": { + "states": "states.ap-northeast-3.amazonaws.com" + }, + "ap-south-1": { + "states": "states.ap-south-1.amazonaws.com" + }, + "ap-southeast-1": { + "states": "states.ap-southeast-1.amazonaws.com" + }, + "ap-southeast-2": { + "states": "states.ap-southeast-2.amazonaws.com" + }, + "ap-southeast-3": { + "states": "states.ap-southeast-3.amazonaws.com" + }, + "ca-central-1": { + "states": "states.ca-central-1.amazonaws.com" + }, + "cn-north-1": { + "states": "states.cn-north-1.amazonaws.com" + }, + "cn-northwest-1": { + "states": "states.cn-northwest-1.amazonaws.com" + }, + "eu-central-1": { + "states": "states.eu-central-1.amazonaws.com" + }, + "eu-north-1": { + "states": "states.eu-north-1.amazonaws.com" + }, + "eu-south-1": { + "states": "states.eu-south-1.amazonaws.com" + }, + "eu-south-2": { + "states": "states.eu-south-2.amazonaws.com" + }, + "eu-west-1": { + "states": "states.eu-west-1.amazonaws.com" + }, + "eu-west-2": { + "states": "states.eu-west-2.amazonaws.com" + }, + "eu-west-3": { + "states": "states.eu-west-3.amazonaws.com" + }, + "me-south-1": { + "states": "states.me-south-1.amazonaws.com" + }, + "sa-east-1": { + "states": "states.sa-east-1.amazonaws.com" + }, + "us-east-1": { + "states": "states.us-east-1.amazonaws.com" + }, + "us-east-2": { + "states": "states.us-east-2.amazonaws.com" + }, + "us-gov-east-1": { + "states": "states.us-gov-east-1.amazonaws.com" + }, + "us-gov-west-1": { + "states": "states.us-gov-west-1.amazonaws.com" + }, + "us-iso-east-1": { + "states": "states.amazonaws.com" + }, + "us-iso-west-1": { + "states": "states.amazonaws.com" + }, + "us-isob-east-1": { + "states": "states.amazonaws.com" + }, + "us-west-1": { + "states": "states.us-west-1.amazonaws.com" + }, + "us-west-2": { + "states": "states.us-west-2.amazonaws.com" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/cdk.out new file mode 100644 index 0000000000000..588d7b269d34f --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/manifest.json new file mode 100644 index 0000000000000..a52d3a7e36e55 --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/manifest.json @@ -0,0 +1,106 @@ +{ + "version": "20.0.0", + "artifacts": { + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-stepfunctions-tasks-sqs-send-message-integ.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-stepfunctions-tasks-sqs-send-message-integ.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-stepfunctions-tasks-sqs-send-message-integ": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-stepfunctions-tasks-sqs-send-message-integ.template.json", + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a598966383649ea6d920222923e22b0f5e7568d4eb610c8c0a5167f4ccc2a2b5.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-stepfunctions-tasks-sqs-send-message-integ.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-stepfunctions-tasks-sqs-send-message-integ.assets" + ], + "metadata": { + "/aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages/Key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "showmethemessagesKeyC4D56D85" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "showmethemessages8D16BBDB" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineRoleB840431D" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineRoleDefaultPolicyDF1E6607" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachine2E01A3A5" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/stateMachineArn": [ + { + "type": "aws:cdk:logicalId", + "data": "stateMachineArn" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/queueUrl": [ + { + "type": "aws:cdk:logicalId", + "data": "queueUrl" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/Service-principalMap": [ + { + "type": "aws:cdk:logicalId", + "data": "ServiceprincipalMap" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-stepfunctions-tasks-sqs-send-message-integ/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-stepfunctions-tasks-sqs-send-message-integ" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/tree.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/tree.json new file mode 100644 index 0000000000000..a9d94336774b2 --- /dev/null +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sqs/send-message-encrypted.integ.snapshot/tree.json @@ -0,0 +1,297 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.33" + } + }, + "aws-stepfunctions-tasks-sqs-send-message-integ": { + "id": "aws-stepfunctions-tasks-sqs-send-message-integ", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ", + "children": { + "show-me-the-messages": { + "id": "show-me-the-messages", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages", + "children": { + "Key": { + "id": "Key", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages/Key", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages/Key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "description": "Created by aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages" + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-kms.Key", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/show-me-the-messages/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SQS::Queue", + "aws:cdk:cloudformation:props": { + "kmsMasterKeyId": { + "Fn::GetAtt": [ + "showmethemessagesKeyC4D56D85", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-sqs.CfnQueue", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-sqs.Queue", + "version": "0.0.0" + } + }, + "send message to sqs": { + "id": "send message to sqs", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/send message to sqs", + "constructInfo": { + "fqn": "@aws-cdk/aws-stepfunctions-tasks.SqsSendMessage", + "version": "0.0.0" + } + }, + "Final step": { + "id": "Final step", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/Final step", + "constructInfo": { + "fqn": "@aws-cdk/aws-stepfunctions.Pass", + "version": "0.0.0" + } + }, + "StateMachine": { + "id": "StateMachine", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine", + "children": { + "Role": { + "id": "Role", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::FindInMap": [ + "ServiceprincipalMap", + { + "Ref": "AWS::Region" + }, + "states" + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Role/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "showmethemessages8D16BBDB", + "Arn" + ] + } + }, + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "showmethemessagesKeyC4D56D85", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "StateMachineRoleDefaultPolicyDF1E6607", + "roles": [ + { + "Ref": "StateMachineRoleB840431D" + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/StateMachine/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", + "aws:cdk:cloudformation:props": { + "roleArn": { + "Fn::GetAtt": [ + "StateMachineRoleB840431D", + "Arn" + ] + }, + "definitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"send message to sqs\",\"States\":{\"send message to sqs\":{\"Next\":\"Final step\",\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::sqs:sendMessage\",\"Parameters\":{\"QueueUrl\":\"", + { + "Ref": "showmethemessages8D16BBDB" + }, + "\",\"MessageBody\":\"sending message over\"}},\"Final step\":{\"Type\":\"Pass\",\"End\":true}},\"TimeoutSeconds\":30}" + ] + ] + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-stepfunctions.CfnStateMachine", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-stepfunctions.StateMachine", + "version": "0.0.0" + } + }, + "stateMachineArn": { + "id": "stateMachineArn", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/stateMachineArn", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" + } + }, + "queueUrl": { + "id": "queueUrl", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/queueUrl", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" + } + }, + "Service-principalMap": { + "id": "Service-principalMap", + "path": "aws-stepfunctions-tasks-sqs-send-message-integ/Service-principalMap", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnMapping", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" + } + } +} \ No newline at end of file